What Corporations Can Do to Avoid Ransomware Attacks

Article

Allianz Global Corporate & Specialty (AGCS) has published a checklist of cyber risk management recommendations to help prevent ransomware attacks.

“In around 80% of ransomware incidents, losses could have been avoided if the organizations had followed best practices. Regular patching, multi-factor authentication, as well as information security and awareness training and incident response planning are essential to avoiding ransomware attacks and also constitute good cyber hygiene,” said Rishi Baviskar, global cyber experts leader at AGCS Risk Consulting.

“If companies adhere to best practice recommendations there is a good chance that they will not become ransomware victims. Numerous security gaps can be closed, often with simple measures,” he added. (See related article on AGCS’ cyber report, which contains these cyber risk management recommendations.)

The AGCS cyber risk management checklist follows:

Ransomware identification

— Are anti‑ransomware toolsets deployed throughout the organization?

— What proactive measures are in place for identification of ransomware threats?

— Are policies, procedures, access controls methods and communication channels updated frequently to address ransomware threats?

— Are in‑house capabilities or external arrangements in place to identify ransomware strains?

Business continuity planning/incident response plan

— Are ransomware‑specific incident response processes in place?

— Have there been any previous ransomware incidents? If so, what lessons have been learned?

— Are pre‑agreed IT forensic firm or anti‑ransomware service provider arrangements in place?

Anti‑phishing exercises and user awareness training

— Is regular user training and awareness conducted on information security, phishing, phone scams and impersonation calls and social engineering attacks?

— Are social engineering or phishing simulation exercises conducted on an ongoing basis?

Backups

— Are regular backups performed, including frequent backups for critical systems to minimize the impact of the disruption? Are offline back‑ups maintained as well?

— Are backups encrypted? Are backups replicated and stored at multiple offsite locations?

— Are processes in place for successful restoration and recovery of key assets within the recovery time objective (RTO)?

— Are backups periodically retrieved compared to the original data to ensure backup integrity?

Endpoints

— Are endpoint protection (EPP) products and endpoint detection and response (EDR) solutions utilized across the organization on mobile devices, tablets, laptops, desktops etc.?

— Are local administrator password solutions (LAPS) implemented on endpoints?

Email, web, office documents security

— Is sender policy framework strictly enforced?

— Are email gateways configured to look for potentially malicious links and programs?

— Is web content filtering enforced with restricting access to social media platforms?

Segmentation

— Are physical, logical segregations maintained within the network, including the cloud environment?

— Are micro segmentation and zero trust frameworks in place to reduce the overall attack surface?

Monitoring patching and vulnerability management policies

— Are automated scans run to detect vulnerabilities? Are third party penetration tests performed on a regular basis?

— Does the organization ensure appropriate access policies, enforcement of multi‑factor authentication for critical data access, remote network connections and for privileged user access?

— Is continuous monitoring in place for detecting unusual account behavior, new domain accounts and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short time period?